net/vhost: fix access to freed memory

[ upstream commit 9dc6bb0 ] This patch fixes heap-use-after-free reported by ASan. It is possible for the rte_vhost_dequeue_burst() to access the vq is freed when numa_realloc() gets called in the device running state. The control plane will set the vq->access_lock to protected the vq from the data plane. Unfortunately the lock will fail at the moment the vq is freed, allowing the rte_vhost_dequeue_burst() to access the fields of the vq, which will trigger a heap-use-after-free error. In the case of multiple queues, the vhost pmd can access other queues that are not ready when the first queue is ready, which makes no sense and also allows numa_realloc() and rte_vhost_dequeue_burst() access to vq to happen at the same time. By controlling vq->allow_queuing we can make the pmd access only the queues that are ready. Fixes: 1ce3c7f ("net/vhost: emulate device start/stop behavior") Signed-off-by: Yuan Wang <yuanx.wang@intel.com> Tested-by: Wei Ling <weix.ling@intel.com> Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
kevintraynor · May 24, 2022 · 58d1b85 · 58d1b85
1 parent 24dabb9
commit 58d1b85
Showing 1 changed file with 13 additions and 2 deletions.
diff --git a/drivers/net/vhost/rte_eth_vhost.c b/drivers/net/vhost/rte_eth_vhost.c
@@ -720,6 +720,7 @@ update_queuing_status(struct rte_eth_dev *dev)
 {
 	struct pmd_internal *internal = dev->data->dev_private;
 	struct vhost_queue *vq;
+	struct rte_vhost_vring_state *state;
 	unsigned int i;
 	int allow_queuing = 1;
 
@@ -730,12 +731,17 @@ update_queuing_status(struct rte_eth_dev *dev)
 	    rte_atomic32_read(&internal->dev_attached) == 0)
 		allow_queuing = 0;
 
+	state = vring_states[dev->data->port_id];
+
 	/* Wait until rx/tx_pkt_burst stops accessing vhost device */
 	for (i = 0; i < dev->data->nb_rx_queues; i++) {
 		vq = dev->data->rx_queues[i];
 		if (vq == NULL)
 			continue;
-		rte_atomic32_set(&vq->allow_queuing, allow_queuing);
+		if (allow_queuing && state->cur[vq->virtqueue_id])
+			rte_atomic32_set(&vq->allow_queuing, 1);
+		else
+			rte_atomic32_set(&vq->allow_queuing, 0);
 		while (rte_atomic32_read(&vq->while_queuing))
 			rte_pause();
 	}
@@ -744,7 +750,10 @@ update_queuing_status(struct rte_eth_dev *dev)
 		vq = dev->data->tx_queues[i];
 		if (vq == NULL)
 			continue;
-		rte_atomic32_set(&vq->allow_queuing, allow_queuing);
+		if (allow_queuing && state->cur[vq->virtqueue_id])
+			rte_atomic32_set(&vq->allow_queuing, 1);
+		else
+			rte_atomic32_set(&vq->allow_queuing, 0);
 		while (rte_atomic32_read(&vq->while_queuing))
 			rte_pause();
 	}
@@ -967,6 +976,8 @@ vring_state_changed(int vid, uint16_t vring, int enable)
 	state->max_vring = RTE_MAX(vring, state->max_vring);
 	rte_spinlock_unlock(&state->lock);
 
+	update_queuing_status(eth_dev);
+
 	VHOST_LOG(INFO, "vring%u is %s\n",
 			vring, enable ? "enabled" : "disabled");